Belgian security researcher Arne Swinnen found an inventive way to steal money from companies like Facebook (through the Instagram service), Google, and Microsoft, using their 2FA voice-based token distribution systems.
Most companies that deploy 2FA (Two-Factor Authentication) send short codes via SMS to their users. Optionally, if the user chooses to, he can also receive a voice call from the company as well, during which a robot operator speaks the code out loud.
These phone calls are usually placed to the phone number officially tied to those specific accounts.
Attacks could theoretically work against other companies as well
Swinnen discovered in his experiments that he could create Instagram Google and Microsoft Office 365 accounts, which he could then tie to a premium phone number instead of a regular phone number.
When one of these three would call the account’s phone number to communicate the user his access code, the premium SMS number would register an incoming call and bill the companies.
Swinnen argues that attackers could create premium phone services and fake Instagram, Google or Microsoft accounts, linking them together.
Using automated scripts, Swinnen says that an attacker could request 2FA tokens for all accounts, and by doing so, placing legitimate phone calls to his service, earning him quite a nice profit.
Attacks lead to huge profits
According to Swinnen’s calculations, he could theoretically obtain €2,066,000 per year from Instagram, €432,000 per year from Google, and €669,000 per premium number from Microsoft.
The technical and exploitation details are different per each service, and Swinnen explained them.
The researcher reported the possible attack to all three services, via their bug bounty programs. Facebook rewarded the researcher with $2,000, Microsoft with $500, and Google with a mention in the company’s Hall of Fame.
Arne Swinnen is the same researcher that found anfor Facebook, and later helped Instagram fix its login mechanism against various .